October 13th, 2005, 09:22 PM
Prob in making valid TCP connection (using HPING, failed during 3-way handshaking)
Hello to all networking gurus. I have a problem in establishing a valid TCP connection during 3-way handshaking using HPING. As all of you know, to make a valid TCP connection, a 3-way handshaking is needed to be set up.
My case is, I need to send a customized TCP message (with data as a text string) to a piece of hardware that I'm testing. This hardware is full functional, and at least it was tested by a Mac machine and shows no problem, but now I am using Windows O/S and got a bit problem. FYI, I am running WinXP SP1 without any other patches, so I have access to raw sockets using HPING.
When I first send my TCP message with data to the hardware (command line is -- hping <dest IP> -p <dest port> -E <filename> -d <file length> -c 1), the hardware didn't reply, and I figured out it was because the message I sent has no flags up. Therefore, I know I need to establish a valid TCP connection between my PC and the hardware first, by 3-way handshaking. I expect I need to send a SYN-flagged tcp msg to the hardware, then it will reply with a SYN|ACK-flagged tcp msg, and I send another ACK-flagged tcp msg, then the TCP linkage will be set up and I can go ahead to send my TCP data msg with SYN|PSH-flagged.
OK, so I sent the SYN-flagged TCP msg w/o data to the hardware. DONE (command line is -- hping <dest IP> -p <dest port> -c 1 -S)
Hardware replied with a SYN|ACK-flagged TCP msg back to my PC, as expected. DONE
HERE, before I initiate the last step of the 3-way handshaking which is ACK-flagged, I see my PC replied with a RST-flagged msg to the hardware!! Dang... the TCP linkage could not be set up, and I could not send my data-filled tcp msg with SYN|PSH flags up..
My questions are:
1) Why my PC was sending a RST-flagged msg to the hardware after it received the SYN|ACK-flagged msg? Is it a HPING problem, or my PC problem?
2) What should I do if I want my PC stop sending RST-flagged msg to the hardware during the last step of the 3-way handshaking, and let it send a ACK-flagged msg to complete the TCP linkage?!
3) If HPING doesn't do this kind of job nicely, what program should I use to establish a valid TCP connection, and have it stay opened?
October 14th, 2005, 12:17 AM
1.You have used hping to send an arbitrary packet, but you have not yet set up the means to recieve any. (I imagine hping has merely put the card in promiscious mode and uses libpcap to see all traffic destined to the interface). The TCP/IP layer of your OS will see the SYN/ACK as an unsolicted reply (arbitrary packet construction bypasses the OSs TCP/IP stack), to whatever source port hping happened to use to send the packet. Since the OS is unaware of any sockets listening or connections made on that port, it correctly returns a RST indicating the port is closed.
2.You would need to setup a listener, but even something like netcat (which uses socket calls not libpcap) would interpret the SYN/ACK as being out of sequence and most likely RST, possibly a custom firewall rule to block outbound RST packets would work, but even then, you dont appear to be aware of how sequence numbers are used, and your connection will still fail.
3. It does not seem to me that you need to customize the properties of TCP/IP itself, but rather you just want a custom payload in an already established connection. A little C knowledge would do the trick easily, by creating a socket ,initiating the connection and then sending the payload. (Also netcat or telnet and perl would suffice)
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
October 14th, 2005, 07:48 AM
It is HPING which is generating RST's i recommend you use nemesis.
October 14th, 2005, 07:19 PM
I'll try to be gentle here...
No matter what tool you use, the results will be the same. The network stack is responding per RFC. If it receives an unsolicited SYN/ACK, the appropriate response is RST. Period. For an example of this, take a look at an idle scan in NMAP.
So, you're problem isn't the tool you're using, the problem is how you're executing your test.
HPING rox da house when used properly.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden